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Modern software, which often involves complex con- 
current computations and operates in an uncertain envi- 
ronment, must be highly reliable and secure. Commonly 
used techniques for addressing the reliability and safety 
of modern software systems include model checking and 
testing. Testing is widely used but it usually involves 
manual effort and it is ill-suited for finding concurrency 
errors. Model checking [3], on the other hand, has shown 
great promise in finding subtle program errors in a com- 
pletely automated way. 

Given a (model of a) system and a property, model 
checking systematically enumerates, explicitly or sym- 
bolically, all the (reachable) system configurations and 
it checks if they conform with the property. The result of 
model checking is either “true”, if the property holds, or 
“false” if the property does not hold; in the latter case 
the model checking procedure also provides a detailed 
counter-example trace that leads to the property viola- 
tion. Properties of interest include absence of deadlocks 
and data races in concurrent programs, or more general 
assertions and temporal logic formulae. Such formulae 
encode the expected behavior of the system in terms of 
safety and liveness, as well as timed, probabilistic or se- 
curity properties. 

To ensure that the model checking terminates, some 
form of abstraction is usually necessary to reduce the 
large search space for the original system into a smaller 
one that is more amenable for verification. Alternately, 
model checking can be used as an effective bug-finding 
technique, and the detailed counter-example traces pro- 
vided can help debugging the discovered errors. The 
number of possible system configurations that needs to 
be explored is very large for most realistic practical ap- 
plications. Consequently there has been continuous effort 
spent over the years to address this scalability problem. 

The articles enclosed here describe new model check- 
ing techniques, supported by robust and scalable tools, 
for the automated analysis of modern software systems. 


The articles have been carefully reviewed and they are 
based on papers that were considered to be among the 
best at the SPIN 2009 model checking workshop [11]. 
The topics addressed range from probabilistic model 
checking and parallelization techniques for improved 
scalability to data race detection, symbolic analysis and 
model checking for security. 

The first article [5], presents an effective technique 
for computing the probability of reaching a given set 
of states in a parametric Markov model. Such models 
can be used to reason about quantitative properties in 
systems where certain aspects are not fixed, but rather 
depend on parameters. Previous work [4] has suggested 
to convert the Markov chain into a finite automaton, 
equivalent to a regular expression. The expression can 
be evaluated to a closed form function representing the 
reachability probability. The bottleneck of the approach 
lies in the growth of the regular expression with the num- 
ber of states. The authors propose to remedy the prob- 
lem by intertwining the regular expression computation 
with its evaluation. This results into a practical method 
that has been implemented in the PARAM tool and has 
been demonstrated experimentally on network protocols. 

The second article [2] is also concerned with prob- 
abilistic reasoning, in the context of the PRISM model 
checking tool [9] , where the satisfaction of desired prop- 
erties is quantified with some probability. The au- 
thors propose algorithms for parallel probabilistic model 
checking using general purpose graphic processing units. 
The proposed improvements target the numerical com- 
putations of the traditional sequential algorithms since 
these computations can be parallelized efficiently on 
graphic processors. The parallel algorithms have been 
implemented in the PRISM model checker and have 
been evaluated on several case studies, showing signif- 
icant speed-up. 

The third article [8] addresses the problem of verify- 
ing data consistency in concurrent Java programs. The 
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work targets data races caused by inconsistent accesses 
to multiple fields of an object - the so-called atomic-set 
serializability problem. Previous work used abstraction 
techniques to translate a concurrent Java program into 
an EML program, a modeling language based on push- 
down systems and a finite set of re-entrant locks, and 
used only a semi-decision procedure to check the pro- 
gram. The present article extends that work by describ- 
ing a full decision procedure for verifying data consis- 
tency, i.e., atomic-set serializability, of an EML program. 
The procedure has been implemented and it has been ap- 
plied to detect both single-location and multi-location 
data races in models of concurrent Java programs. 

The fourth article [10] presents a generic technique 
for creating the basic primitives used in symbolic pro- 
gram analysis: forward symbolic evaluation, weakest lib- 
eral precondition, and symbolic composition. Using this 
technique, one can automatically generate an implemen- 
tation of a (forward or backward) symbolic program exe- 
cution at the cost of writing only the specification of the 
concrete program semantics - in the form of an inter- 
preter for the language of interest. The technique can be 
used for programming languages with pointers and arith- 
metic operations. The technique has been implemented 
and it has been used to generate symbolic-analysis prim- 
itives for the x86 and PowerPC instruction sets. The 
symbolic analysis generated with the generic technique 
presented here can be used in software model checking 
tools such as SLAM [1] and Blast [6], as well as in other 
automated bug-finding tools that rely on symbolic rea- 
soning [14, 15] 

Finally, the fifth article [13] presents an application of 
the SPIN model checker [7] to checking signature spec- 
ifications. Signatures are matching rules that are used 
in intrusion detection systems when searching for attack 
traces in the recorded audit data based on pre-defined 
patterns. Intrusion detection systems are one of the most 
important means to protect information technology sys- 
tems [12]. The effectiveness of an intrusion detection sys- 
tem depends on the adequacy of the signatures, which 
are usually defined empirically. Modeling a new signa- 
ture is time-consuming and error-prone; consequently 
the modeled signature needs to be tested carefully. In 
this article, the authors present an approach to automat- 
ically checking signature specifications using the SPIN 
model checker. The signatures are modeled in the speci- 
fication language EDL (a variant of Petri-nets) and then 
translated into PROMELA, the input language of the 
SPIN model checking tool. SPIN is used to find specifi- 
cation errors, which are modeled using linear temporal 
logic. 

In conclusion, the articles enclosed here describe new 
results in software model checking and analysis. The pre- 
sented techniques are most useful at finding subtle and 
costly errors that can not be found with traditional test- 
ing alone. The techniques have been implemented in ro- 


bust tools and therefore show good promise for adoption 

in industry. 
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